Critical security update OpenJDK
Red Hat Product Security has rated this update as having a security impact of Critical (Issued:2017-10-20).
Security Fix(es):
- Multiple flaws were discovered in the RMI and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-10285, CVE-2017-10346)
- It was discovered that the Kerberos client implementation in the Libraries component of OpenJDK used the sname field from the plain text part rather than encrypted part of the KDC reply message. A man-in-the-middle attacker could possibly use this flaw to impersonate Kerberos services to Java applications acting as Kerberos clients. (CVE-2017-10388)
- It was discovered that the Security component of OpenJDK generated weak password-based encryption keys used to protect private keys stored in key stores. This made it easier to perform password guessing attacks to decrypt stored keys if an attacker could gain access to a key store. (CVE-2017-10356)
- A flaw was found in the Smart Card IO component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2017-10274)
- It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server. (CVE-2017-10355)
- It was found that the HttpURLConnection and HttpsURLConnection classes in the Networking component of OpenJDK failed to check for newline characters embedded in URLs. An attacker able to make a Java application perform an HTTP request using an attacker provided URL could possibly inject additional headers into the request. (CVE-2017-10295)
- It was discovered that multiple classes in the JAXP, Serialization, Libraries, and JAX-WS components of OpenJDK did not limit the amount of memory allocated when creating object instances from the serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized. (CVE-2017-10349, CVE-2017-10357, CVE-2017-10347, CVE-2017-10281, CVE-2017-10345, CVE-2017-10348, CVE-2017-10350)
Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
https://access.redhat.com/errata/RHSA-2017:2998
(from redmine: issue id 8111, created on 2017-11-07, closed on 2018-09-11)
- Changesets:
- Revision 4d34f29d by Timo Teräs on 2017-11-08T13:43:26Z:
community/openjdk8: upgrade to icedtea 3.6.0, modernize
S8165543: Better window framing
S8169026, CVE-2017-10274: Handle smartcard clean up better
S8169966: Larger AWT menus
S8170218: Improved Font Metrics
S8171252: Improve exception checking
S8171261: Stability fixes for lcms
S8174109, CVE-2017-10281: Better queuing priorities
S8174966, CVE-2017-10285: Unreferenced references
S8175940: More certificate subject checking
S8176751, CVE-2017-10295: Better URL connections
S8178794, CVE-2017-10388: Correct Kerberos ticket grants
S8180024: Improve construction of objects during deserialization
S8180711, CVE-2017-10346: Better invokespecial checks
S8181100, CVE-2017-10350: Better Base Exceptions
S8181323, CVE-2017-10347: Better timezone processing
S8181327, CVE-2017-10349: Better X processing
S8181370, CVE-2017-10345: Better keystore handling
S8181432, CVE-2017-10348: Better processing of unresolved permissions
S8181597, CVE-2017-10357: Process Proxy presentation
S8181612, CVE-2017-10355: More stable connection processing
S8181692, CVE-2017-10356: Update storage implementations
S8183028, CVE-2016-10165: Improve CMS header processing
S8184682, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843: Upgrade compression library
ref #8018, #8111
- Revision b3a4d84b by Timo Teräs on 2018-06-13T17:08:20Z:
community/openjdk8: upgrade to icedtea 3.6.0, modernize
S8165543: Better window framing
S8169026, CVE-2017-10274: Handle smartcard clean up better
S8169966: Larger AWT menus
S8170218: Improved Font Metrics
S8171252: Improve exception checking
S8171261: Stability fixes for lcms
S8174109, CVE-2017-10281: Better queuing priorities
S8174966, CVE-2017-10285: Unreferenced references
S8175940: More certificate subject checking
S8176751, CVE-2017-10295: Better URL connections
S8178794, CVE-2017-10388: Correct Kerberos ticket grants
S8180024: Improve construction of objects during deserialization
S8180711, CVE-2017-10346: Better invokespecial checks
S8181100, CVE-2017-10350: Better Base Exceptions
S8181323, CVE-2017-10347: Better timezone processing
S8181327, CVE-2017-10349: Better X processing
S8181370, CVE-2017-10345: Better keystore handling
S8181432, CVE-2017-10348: Better processing of unresolved permissions
S8181597, CVE-2017-10357: Process Proxy presentation
S8181612, CVE-2017-10355: More stable connection processing
S8181692, CVE-2017-10356: Update storage implementations
S8183028, CVE-2016-10165: Improve CMS header processing
S8184682, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843: Upgrade compression library
ref #8018, #8111
- Revision 305f8cb9 by Timo Teräs on 2018-06-13T21:19:43Z:
community/openjdk8: upgrade to icedtea 3.6.0, modernize
S8165543: Better window framing
S8169026, CVE-2017-10274: Handle smartcard clean up better
S8169966: Larger AWT menus
S8170218: Improved Font Metrics
S8171252: Improve exception checking
S8171261: Stability fixes for lcms
S8174109, CVE-2017-10281: Better queuing priorities
S8174966, CVE-2017-10285: Unreferenced references
S8175940: More certificate subject checking
S8176751, CVE-2017-10295: Better URL connections
S8178794, CVE-2017-10388: Correct Kerberos ticket grants
S8180024: Improve construction of objects during deserialization
S8180711, CVE-2017-10346: Better invokespecial checks
S8181100, CVE-2017-10350: Better Base Exceptions
S8181323, CVE-2017-10347: Better timezone processing
S8181327, CVE-2017-10349: Better X processing
S8181370, CVE-2017-10345: Better keystore handling
S8181432, CVE-2017-10348: Better processing of unresolved permissions
S8181597, CVE-2017-10357: Process Proxy presentation
S8181612, CVE-2017-10355: More stable connection processing
S8181692, CVE-2017-10356: Update storage implementations
S8183028, CVE-2016-10165: Improve CMS header processing
S8184682, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843: Upgrade compression library
ref #8018, #8111